On the world stage, healthcare cyber-attacks and large-scale data breaches are on the rise. Both malicious attacks and the unforeseen consequences of technology have compromised millions of patient data files.

In 2024 so far, the news has been peppered with these stories and the millions affected. It seems that no part of the healthcare ecosystem has been untouched –  including providers, payers, and government agencies. Let’s look at some of these high-profile attacks and what they mean for patients, providers, and the industry as a whole.

Why are Healthcare Organizations Targeted?

To understand the potential value of stolen data from healthcare organizations, one must understand that the internet we typically see in daily usage is only the tip of an exceptionally large iceberg. Beneath the easily accessible, searchable web is an enormous body of un-indexed content that cannot be accessed by search engines. A portion of this “deep web” is more nefarious – labeled the “dark web.” The dark web is inaccessible by traditional browsers and search engines and is designed to be anonymous and a breeding ground for illegal activities.

How much does a stolen medical record fetch on the dark web? A CNBC report quotes $60 for a medical record, compared to $15 for a social security number and $3 for a credit card. Hackers who attack large organizations are rewarded with millions of records, with a potentially huge payout.

Marketplaces within the dark web offer stolen data, which can then be used for identity theft, and a different type called medical identity theft – where expensive services are then fraudulently billed.

Change Healthcare

On February 21, 2024, one of the largest cyberattacks in history occurred by a group identifying itself as ALPHV/BlackCat. Change Healthcare, which UnitedHealth Group owns, manages a whopping 15 billion transactions annually. Almost half of the nation’s medical claims are processed through their electronic clearinghouse.

The attack affected billing and care authorization portals, leading to prescription backlogs, missed procedures, and lack of payment for providers. The attack was so large that members of the US Senate called for action from leading medical organizations like the American Medical Association to help support physician practices and keep them functioning. CMS stepped in and made advanced payments available, similar to what happened during the COVID-19 pandemic.

Change Healthcare has declined to reveal how much ransom was paid (if any). However, a report from Wired states that the hacker group received a $22 million transaction after the attack. It took at least 2 weeks, and even longer for some services, for Change to be back online.

The Office of Civil Rights and DHHS are investigating whether a HIPAA breach occurred in the attack and examining Change Healthcare and United HealthGroup’s compliance strategies.

Kaiser Foundation Health Plan

In a bit of a twist, the  April 2024 Kaiser breach was not caused by a hacker group, but by its own website. 13.4 million residents were affected by the breach, which was attributed to an improper tracking code implementation on its website. This resulted in data being shared with third-party companies like Google, Microsoft, and X (formerly Twitter). To learn more about web trackers and related breaches, check out this related article[KS1] .

The data shared was enough to be considered a major breach – IP addresses, logins to Kaiser Permanente accounts, and details about how members navigated through the website – including search terms used for health conditions on the organization’s educational health encyclopedia.

Ascension

May 8, 2024, saw healthcare conglomerate Ascension breached in a ransomware attack, affecting all of its 142 hospitals. An employee unknowingly downloaded a malicious file, giving hackers a foothold and allowing them to breach seven servers and encrypt files. The attack is currently attributed to the Russia-linked group Black Basta. It is unknown how much Ascension paid, or if they paid a ransom – however, the group has reportedly collected over $100 million in ransoms since 2022.

Unfortunately, it took until June 5th for EHR access to be restored in some of Ascension’s market areas, and the rest by June 14. Critical systems were down, forcing staff to revert to paper charting and downtime processes. Several employees voiced concerns to the media about patient safety and the inability to access important information like patient medication lists and medical history. Lab results and other reports are delayed without electronic access and the integration the health system is used to.

Multiple patients have already filed suit, with more assumed to follow.

Is the Future of Healthcare Data Security Grim?

Until healthcare cybersecurity catches up to other sectors, like the financial sector, experts predict these massive data security incidents will continue to occur. The over-consolidation of healthcare is partially to blame – as small practices and hospitals get bought up by large systems, attacks have a much larger impact than they otherwise would.

As multiple government agencies investigate, the coming months will reveal more about both the Change Healthcare and Ascension cyber-attacks. Private cyber-security firms anticipate greater spending within the healthcare sector to beef up systems and put new security features in place.

As often happens in healthcare when bad things happen – important lessons are learned. Cybercriminals are becoming ever more sophisticated and creative, and sometimes the newest tech hasn’t been adequately trialed. As vulnerabilities are revealed, other organizations can learn from those and act accordingly.

New regulations and minimum security requirements are likely to be enacted, and it will be in every organization’s best interest to pay careful attention.

RecordQuest 

As a Release of Information (ROI) company, RecordQuest makes data security its highest priority. We are proud to be SOC 2 Type 2 Certified, and we use a trusted software platform that utilizes modern encryption protocols, robust authentication, and rigorous testing to provide information security. All activity on our platform is logged, allowing us to produce a comprehensive detailed accounting of disclosures for every information release. Our processors and quality assurance staff are also required to obtain CRIS certification, demonstrating mastery in the field of ROI. Staying abreast of any and all changes in the healthcare data security world is our job. For a secure partner that provides a workflow solution that works, contact us for more information and answers to all your security questions.